IIS: Disabling Weak SSL Protocols and Ciphers
It's no secret by now that if your web site sees credit card numbers (even if they are passed to a third party gateway) you need to comply with the PCI DSS standards.
Requirement 4.1 states:
Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.
If you are running IIS there are typically several weak Protocols and Ciphers enabled, such as SSLv2, and 40-56 bit key ciphers. The Internet Information Services Management Console doesn't have a GUI to let you disable these protocols and ciphers. You need to use Regedit to make several registry changes in order to disable these.
While doing some consulting work last week a client mentioned how useful it would be to have a product for toggling ciphers and protocols in IIS. I agreed, and built the following:
I also built a web based tool to test your server for SSLv2. The testing tool works on both IIS and Apache Web servers.
Tweet
add to del.icio.us
| Tags: iis, ssl, ciphers, protocols, cryptography, windows, security, config, utilities
Related Entries
- Request Filtering in IIS 7 Howto - February 16, 2010
- Howto Disable the Server Header in IIS - December 6, 2005
- ColdFusion Lockdown Series - Multiple Partitions - April 21, 2011
- Changing the ColdFusion CFIDE Scripts Location - January 10, 2011
- HTTP Strict Transport Security - September 17, 2010
Trackbacks
Post a Comment
Recent Entries
- Nginx redirect www to non www domain
- HashDOS and ColdFusion
- HackMyCF Updated for APSB11-29 Security Hotfix
- Adobe eSeminar on FuseGuard
- Determining Which Cumulative Hotfixes are Installed on ColdFusion
- Adding Two Factor Authentication to ColdFusion Administrator
- ColdFusion Developer Week at Adobe.com
- Bug Loading Scripts for CFFileUpload and CFMediaPlayer
